SecurID Cards

In order to access our systems remotely, users are assigned a SecurID
card. This card assigns a new, pseudo-random password every minute.
Users can connect to our systems using a combination of this random
password and a short PIN, like your bank account access number. This
system ensures that attackers on remote sites cannot intercept passwords
as a means of breaking into our systems.

Terminology

Key Fob/SecurID Card - the actual physical hardware that
is used by the
users to access the system. Displays a constantly changing
TOKENCODE on its front, along with an indication of how much longer
the code will be valid for. Users are assigned a single card, which
should last (barring abuse) for five years. Each costs ~$80.

PIN - a 4-8 digit string known only to the user, which is
used as a secret password for accessing the system.

This should not be the same as any other PIN you have elsewhere,
such as bank accounts!

While originally this was only set up to allow for digits (0-9),
it now supposedly takes random characters.

The system may force you to change your PIN periodically.

TOKENCODE - a 6-digit string that changes every minute,
dispalyed on the SecurID Key Fob.

PASSCODE - a string combining the PIN and TOKENCODE, which
is what is actually used to enter the system.

Example: if your PIN is "1114" and the current TOKENCODE is
"541064", then your current PASSCODE is "1114541064"

If you do not yet have a PIN, then your PASSCODE is just the
TOKENCODE.

RSA Ace - name of the server product that actually does the
authentication on the back-end.

Connecting to TCB Systems with SecurID

Once you have set your PIN (see below), you can connect to our systems
by using SSH to
connect to login.ks.uiuc.edu. When you try to connect, you
will enter your PASSCODE for access. Once you have connected, you can
connect to any other group machine using your standard system password.

Policies:

Never reveal your PIN to anybody. I can't emphasize this
enough. If we find that you have done so, your card will be
disabled.

All remote SSH access must go through the SecurID system!

Access is only available for full-time group members and graduate
students, and specifically approved long-term collaborators and
guests (with a deposit).

Guests/collaborators must return the card at the end of their
visit or collaboration, or pay $100 for a replacement card.

In the case that a card must be mailed to a collaborator, it will
be sent in "disabled" form. Once it arrives, you can verify your
identity by calling the sysadmin office (217/244-1855); they will
then enable the card.

Each user is assigned only one SecurID card. It should be treated
like all group equipment, and treated with respect.

Initial Setup

When you first get your card, you will need to set your PIN before you
can use the card:

If you have received your SecurID card through mail, then a default
PIN was set by the sysadmin team. Please contact them over the
phone to learn what this PIN is set to.

If you have just gotten your SecurID card in person, then your PIN
is currently unset. You will have to set it on first login, following
the instructions.